ApsaraVideo Live allows you to perform access control by using a Referer blacklist or whitelist, User-Agent blacklist or whitelist, and IP address blacklist or whitelist. This topic describes the access control service of ApsaraVideo Live, the scenario in which you can use this service, and how to configure this service.

Overview

The access control service allows you to configure access policies in the cloud to provide basic protection for video resources. The access control service has a low learning curve and immediately takes effect. The service requires only simple configuration in the cloud. No additional development is required. The regular access control policies include:

  • Referer blacklist or whitelist
  • User-Agent blacklist or whitelist
  • IP address blacklist or whitelist
Note You cannot configure a User-Agent blacklist or whitelist in the ApsaraVideo Live console due to cumbersome configuration and the risk of misoperation. If you need to configure a User-Agent blacklist or whitelist, submit a ticket or contact Alibaba Cloud after-sales engineers.

Scenario

  • The access control service requires only simple configuration, which makes the service easy to use. The access control service can provide basic protection, especially for access from web browsers.
  • Both Referer and User-Agent blacklists or whitelists are based on HTTP headers that are prone to forgery and have low security.
  • An IP blacklist or whitelist hinders the distribution of content to a large number of consumers, and therefore is not unsuitable for large-scale content distribution.

Referer blacklist or whitelist

  • Overview
    • Referer is used to track and identify where requests come from based on the HTTP protocol. You can configure a Referer blacklist or whitelist to identify and filter users. This allows you to control access to video resources.
    • After a user sends a request to a CDN node, the node authenticates the user based on the preset Referer whitelist or blacklist. If the user passes the authentication, video data is returned. If the user fails the authentication, the request is denied and HTTP status code 403 is returned.
    • A Referer blacklist or whitelist is optional. By default, a Referer blacklist or whitelist is disabled.
    • After you configure a Referer blacklist or whitelist, wildcard domain names are supported. For example, if you enter a.com, the domain that takes effect is *.a.com. The Referer blacklist or whitelist takes effect on all subdomains.
    • You can specify whether to allow requests that have an empty Referer header to access resources. If you allow the access, users can directly access resources by entering the resource URLs in the address box of a browser.
  • Configuration methods
  • Usage notes
    • The blacklist and whitelist are mutually exclusive and cannot be enabled at the same time.
    • Typically, mobile terminals do not provide the Referer header. By default, access requests that have an empty Referer header are allowed. This allows mobile terminals to access your resources. You can choose to disable access from requests have an empty Referer header. If you want to allow access from mobile terminals after you disable access from requests have an empty Referer header, you can set the Referer header for mobile terminals by using ApsaraVideo Player. For more information.
    • If you disable access from requests have an empty Referer header, you must configure HTTPS secure acceleration and enable the forcible redirect from HTTP to HTTPS. Some browsers remove the Referer header from HTTPS requests that access HTTP resources. In this case, the access fails for these HTTPS requests.
  • Example

    The streaming domain is pull.test1.aliyunlive.com. The domain aliyun.com is added to the Referer whitelist. Access is disabled for requests that have an empty Referer header.

    1. Request:
      curl -i 'http://pull.test1.aliyunlive.com/apptest/stream0000'
    2. Response:
      X-Tengine-Error:denied by Rererer ACL
    3. A success response is returned for the following request that contains an allowed Referer:
      curl -i 'http://pull.test1.aliyunlive.com/apptest/stream0000' \
      -H 'Referer: http://www.aliyun.com' 

User-Agent blacklist or whitelist

  • Overview

    User-Agent is a special string header. It helps the server identify the operating system type and version, CPU type, browser type and version, browser rendering engine, language, and plug-in that are used by users. You can configure a User-Agent blacklist or whitelist to control access from specific browsers or terminals.

  • Configuration methods

    submit a ticket or contact Alibaba Cloud after-sales engineers.

  • Example
    • User-Agent header for Internet Explorer 9.0 on a Windows PC:
      User-Agent:Mozilla/5.0(compatible;MSIE9.0;WindowsNT6.1;Trident/5.0;
    • Simulate the following HTTP request for verification:
      curl -i 'http:/pull.test1.aliyunlive.com/apptest/stream0000' \
      -H 'User-Agent: iPhone OS;MI 5'

IP address blacklist or whitelist

  • Overview

    ApsaraVideo Live allows you to configure an IP address blacklist or whitelist to deny or allow access only from specific IP addresses.

    • If an IP address blacklist is configured, the IP addresses in the blacklist are not allowed to access the current domain name for CDN.
    • If an IP address whitelist is configured, only IP addresses in the whitelist can access the current domain name for CDN.
    • You can add a list of IP addresses or a CIDR block.

      For example, you can add 127.0.0.1/24 to the IP address blacklist or whitelist. 24 indicates that the first 24 bits are the mask to represent the part of the network portion of the address. The remaining 8 bits are host bits. The subnet can accommodate 254 hosts. Therefore, the IP addresses are 127.0.0.1 to 127.0.0.255.

  • Configuration methods